More minor: I notice that ./zookeeper-server/src/main/resources/lib/jetty-client-9.4.34.v20201102.LICENSE.txt is included in the release even though the jar is no longer used. It should be removed.
Regards, Patrick On Fri, Dec 4, 2020 at 1:53 PM Patrick Hunt <[email protected]> wrote: > -1 - the dependency check is failing with a known CVE > > $ mvn clean package -DskipTests dependency-check:check > ... > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '0.0': > [ERROR] > [ERROR] jetty-server-9.4.34.v20201102.jar: CVE-2020-27218 > [ERROR] jetty-http-9.4.34.v20201102.jar: CVE-2020-27218 > [ERROR] > > Patrick > > > On Tue, Dec 1, 2020 at 8:58 AM Norbert Kalmar <[email protected]> wrote: > >> This is a bugfix release candidate for 3.5.9. It contains 24 fixes, >> including 2 CVE fix. >> >> The full release notes is available at: >> >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12348201 >> >> *** Please download, test and vote by December 4th 2020, 23:59 UTC+0. *** >> >> Source files: >> https://people.apache.org/~nkalmar/zookeeper-3.5.9-candidate-0/ >> >> Maven staging repo: >> >> https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.5.9/ >> >> The release candidate tag in git to be voted upon: release-3.5.9-rc0 >> >> ZooKeeper's KEYS file containing PGP keys we use to sign the release: >> https://www.apache.org/dist/zookeeper/KEYS >> >> Should we release this candidate? >> >> - Norbert >> >
